HP Report Elaborates on Contradictions in Security Risks

In publishing its “Security Research Cyber Risk Report 2013,” an annual update, HP has delved into a number of the most vexing contradictions in security and risk management. The report’s goal, states HP, is “to provide security information that can be used to understand the vulnerability landscape and best deploy resources to minimize security risk.”

Key findings included these:

“Research gains attention, but vulnerability disclosures stabilize and decrease in severity.” The number of publicly disclosed vulnerabilities remained stable in 2013, as the number of high-severity vulnerabilities dropped for the fourth year in a row. Asks HP, “Is this a good indication of the improving awareness of security in software development or does this indicate a more nefarious trend – the increased price of vulnerabilities on the black market for APTs resulting in less public disclosures?”

“80 percent of applications contain vulnerabilities exposed by incorrect configuration.” Misconfiguration makes even perfectly coded software vulnerable: HP’s examination of 2200 applications found vulnerabilities arose out of server misconfiguration, improper file settings, sample content, outdated versions and other issues. All the bug audits in the world won’t address this significant set of vulnerabilities.

“Differing definitions of ‘malware’ make measuring mobile malware risk extremely difficult.” This one is very interesting: The attention that is focused on what we generally refer to as mobile malware continues to increase. However, HP points out that the ways that Google, Apple and antivirus companies judge and classify the behaviors and features of mobile applications and software is nowhere near standardized, and is skewing the numbers. That may be, in turn, causing some firms to place their efforts and budgets in the wrong areas. The classification of apps containing adware as containing malware seems to be creating the largest portion of this contradiction. Though some adware libraries reportedly contain backdoor functionalities and are classified as malware by more than one antivirus company, HP found that “there is massive variability between the determinations made by different AV companies. It seems one person’s adware might be another’s benign app.”

“46 percent of mobile iOS and Android applications use encryption improperly.” While encryption is often named as the most underused data protection strategy, especially in mobile device and data management, HP finds that its improper use is widespread. Among other specific problems HP detected, “the statistics indicate that the developers either completely miss encryption before storing sensitive information on device or often rely on weak algorithms.”

To see more findings, including a detailed analysis of targeted attacks in South Korea that demonstrated how vulnerable organizations are to multiple-vector threats, you can download the report free with registration here: HP Security Research Cyber Risk Report 2013.